AnsweredAssumed Answered

CyberArk Password Vault - Secured Integration

Question asked by Alex Grant on Dec 5, 2019
Latest reply on Dec 6, 2019 by Kristian Nordman
  • Comment1

Hi folks,

 

I'm trying to integrate IGL 7.1.1 P03 with our CyberArk vault through AIM. I have general connectivity, but I can't seem to nail down the secured connection.

 

WSDL URL: <AIM-WSDL-URL>

Authentication: One-Way SSL

 

I've made sure that the root CA cert in my organisation has been added to the /var/lib/ca-certificates/java-cacerts keystore (which is symlinked to $JAVA_HOME/jre/lib/security/cacerts). Its entry type is trustedCertEntry. However, the password vault has difficultly establishing the PKIX path. There are no intermediate certificates, just the root CA and the server certificate.

 

com.aveksa.server.passwordvault.VaultConnectionException: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
......

curl -k <AIM-WSDL-URL> works successfully from the server CLI.

Kristian Nordman
Kristian Nordman Dec 6, 2019 7:31 AM
Correct Answer

Hi!

 

Certificates are great when they work, but can be fickle to set up. This will be a lenghty post, but should be useful for similar issues with certificates as it is a recurring problem.

 

One of the tools I use for debugging them is SSLPoke with a wrapper. I'm not sure where I first found it, but it may have been at Test of java SSL / keystore / cert setup. Check the comment #1 for howto. · GitHub .

 

I'll post the code in full here. Along with a wrapper and a short how-to.

 

SSLPoke.java

import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import java.io.*;

/** Establish a SSL connection to a host and port, writes a byte and
 * prints the response. See
 * http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services
 */
public class SSLPoke {
    public static void main(String[] args) {
        if (args.length != 2) {
            System.out.println("Usage: "+SSLPoke.class.getName()+" <host> <port>");
            System.exit(1);
        }
        try {
            SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
            SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(args[0], Integer.parseInt(args[1]));

            InputStream in = sslsocket.getInputStream();
            OutputStream out = sslsocket.getOutputStream();

            // Write a test byte to get a reaction :)
            out.write(1);

            while (in.available() > 0) {
                System.out.print(in.read());
            }
            System.out.println("Successfully connected");

        } catch (Exception exception) {
            exception.printStackTrace();
        }
    }
}

 

wrapper.sh

#!/bin/bash
/etc/alternatives/java_sdk_openjdk/bin/java \
   -cp . \
   -Djavax.net.ssl.keyStore=/home/knn/mutual-tls-ssl/client/src/test/resources/identity.jks \
   -Djavax.net.ssl.keyStorePassword=secret \
   -Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.212.b04-0.el6_10.x86_64/jre/lib/security/cacerts \
   -Djavax.net.ssl.trustStorePassword=changeit \
   SSLPoke $1 $2

If needed, you can add  -Djavax.net.debug=ssl:handshake to the arguments and see a lot more debugging info regarding the certificates. Change /etc/alternatives/java_sdk_openjdk/bin/java to reflect your environment based on the binary used by wildfly.

 

How to run

./wrapper.sh <host> <port>

$ javac SSLPoke.java
$ ./wrapper.sh www.google.com 443
Successfully connected

 

From there you can swiftly test your certificate chain to see if your changes are effective or not rather than restart IG&L for each attempt.

 

With the tools in place, troubleshooting can start.

 

Grep your processes for wildfly to figure out which jdk/jre is used by IG&lL

[oracle@ip-172-31-20-2 ssl]$ ps aux | grep wild
oracle    6569  0.0  0.0 106116   364 ?        S    Nov27   0:00 /bin/sh /home/oracle/wildfly/bin/standalone.sh --server-config=aveksa-standalone-full.xml
oracle    6677  1.7 27.2 7918292 4479640 ?     Sl   Nov27 220:34 /etc/alternatives/java_sdk_openjdk/bin/java -D[Standalone] -Xms3259m -Xmx3259m -XX:MaxMetaspaceSize=575m -XX:InitiatingHeapOccupancyPercent=10 -XX:+AlwaysPreTouch -XX:+UseG1GC -XX:+ExplicitGCInvokesConcurrent -XX:+ParallelRefProcEnabled -XX:+UseStringDeduplication -Djava.awt.headless=true -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/home/oracle -Dclient.encoding.override=UTF-8 -Dfile.encoding=UTF-8 -Djava.net.preferIPv4Stack=true -Djava.net.preferIPv6Addresses=false -Dwp-client-hostname=172.31.20.2 -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n -Dorg.jboss.boot.log.file=/home/oracle/wildfly/standalone/log/server.log -Dlogging.configuration=file:/home/oracle/wildfly/standalone/configuration/logging.properties -jar /home/oracle/wildfly/jboss-modules.jar -mp /home/oracle/wildfly/modules org.jboss.as.standalone -Djboss.home.dir=/home/oracle/wildfly -Djboss.server.base.dir=/home/oracle/wildfly/standalone --server-config=aveksa-standalone-full.xml
oracle   20674  0.0  0.0 103328   868 pts/1    S+   13:24   0:00 grep wild

In my case it is /etc/alternatives/java_sdk_openjdk/bin/java

From the regular structure of the java installation we know that the cacerts used by default is located at /etc/alternatives/java_sdk_openjdk/jre/lib/security/cacerts, which is a symlink to ../../../../../../../etc/pki/java/cacerts.

[oracle@ip-172-31-20-2 ssl]$ ls /etc/alternatives/java_sdk_openjdk/jre/lib/security/cacerts  -lha
lrwxrwxrwx. 1 root root 41 May 13  2019 /etc/alternatives/java_sdk_openjdk/jre/lib/security/cacerts -> ../../../../../../../etc/pki/java/cacerts

 

This is where you must add your organizations Root CA. You may also need to add your intermediate CA.

 

Now if you try the SSLPoke against your CyberArk you should see a successful connection.

See the reply in context
No one else had this question

Outcomes

    Visibility: RSA Identity Governance & Lifecycle420 Views
    Last modified on Dec 5, 2019 6:54 AM
    Tags:
    Categories: Data Collection
    Ratings: